Syslog-ng faq

Syslog-ng FAQ

Every mailing list should have a list of frequently asked questions, and the answers usually given to those questions. Here's one for syslog-ng.

This is Nate Campi's syslog-ng FAQ, found at http://www.campin.net/syslog-ng/faq.html, headers and footers removed.

Disclaimer: Use this information at your own risk, I cannot be held responsible for how you use this information and any consequences that may result. However, every effort has been made to ensure the technical accuracy of this document.

Most questions are taken from actual posts to the syslog-ng mailing list. Truly horrible grammar and spelling were cleaned up, but most questions are identical to the original post.

Feel free to email submissions to nate at campin dot net.

Important Syslog-ng and syslog-related links

Syslog-ng homepage

Syslog-ng mailing list signup

Centralized syslog-ng to mysql database

syslog(-ng) to postgreSQL database howto

Sample syslog-ng conf file

Sample Solaris 8 syslog-ng conf file (for syslog-ng 1.5.x)

An expanded sample syslog-ng conf file

Centralized Syslog Loghost using syslog-ng

Log Analysis Resources (LogAnalysis mailing list)

Building Secure Servers with Linux, 'Chapter 10: System Log Management and Monitoring'

RFC3164, The BSD syslog Protocol

Contents

What is libol?

Compile errors after modifying source code

Replace syslogd with syslog-ng

syslogd and syslog-ng interoperability

Replace Linux klogd

External programs die right away

Logging for chroot environment

Postfix stops logging when syslog-ng is restarted

Creates filenames like "Error" and "SCSI"

DNS and fully qualified domain names

Hostname options

Log archives take up too much space

File permissions and ownership

Long message are cut in half

I want files to be created with the time/date they are received

Write messages to disk the instant they are received

Run syslog-ng chrooted and as a non-root user

Rewrite logs in a specific format

syslog-ng only allows 10 connections to a TCP source

Log output from programs started by syslog-ng

Log reporting/monitoring

Input logs into a database

How fast is it?

How can I catch messages not already filtered?

Connections die when syslog-ng sent HUP signal

Using stunnel, all hosts are 'localhost'

Geting started

What's with this libol stuff, and which one do I need?

libol is a library written by the author of syslog-ng, Balazs Scheidler, which is used in syslog-ng. A built copy of libol needs to be present on a system when syslog-ng is built.

libol does *not* need to be installed, however. A built copy can be left in a typical build directory like /usr/src, and given as a parameter to syslog-ng's configure script. Run './configure --help' in the syslog-ng source directory for more information.

The current 1.4.x (stable) branch uses libol 0.2.x, and the current 1.5.x (development) branch uses libol libol 0.3.x.

Thanks for the patch, I just patched it, and I can't recompile libol. I did a make clean after I patched it, then tried:

 $ make
 Making all in utils
 make[1]: Entering directory `/home/src/libol-0.2.17/utils'
 make[1]: Nothing to be done for `all'.
 make[1]: Leaving directory `/home/src/libol-0.2.17/utils'
 Making all in src
 make[1]: Entering directory `/home/src/libol-0.2.17/src'
 /usr/src/libol-0.2.17/utils/make_class io.c.xt
 /bin/sh: /usr/src/libol-0.2.17/utils/make_class: No such file or directory
 make[1]: *** [io.c.x] Error 127
 make[1]: Leaving directory `/home/src/libol-0.2.17/src'
 make: *** [all-recursive] Error 1

I'm not sure what this means. Should I try the patch again? I just did a

$ patch -ORIG_FILE -DIFF_FILE

This comes from a missing scheme interpreter, touch io.c.x or install scsh.

For much more on libol and scheme in syslog-ng, read this post by Bazsi

If I replace my syslog daemon with syslog-ng, what side effects can it have?

Glad you asked, the most common side effect is being happy with a superior syslog daemon.

Another common result is that system logfiles grow to huge sizes. This isn't syslog-ng's fault, but a side effect of syslog-ng logging to different logfiles than your old syslog daemon. Change your log rotation program's config files to rotate the new log names/locations or change syslog-ng's config file to make it log to the same files as your old syslog daemon.

Running it

I'm new to syslog-ng. Is there a way for syslog-ng and syslogd to co-exist? Our servers are managed by another group, and they don't support syslog-ng. Can you pipe all syslogd messages to syslog-ng?

Yes, syslog-ng can accept messages from stock syslogd using the udp() source.

I want to replace syslogd *and* klogd on my Linux box with syslog-ng.

Use a source line like this in your conf file to read kernel messages, too.

source src { pipe("/proc/kmsg"); unix-stream("/dev/log"); internal(); };

Note: do not run klogd and syslog-ng fetching local kernel messages at the same time. It may cause syslog-ng to block which makes all logging local daemons unusable.

I have been trying syslog-ng and extremely happy with the power of using it. I have one question, when using the program option under destination drivers, my PERL script gets launched when I start syslog-ng, but executes once and then dies. I am using this script to page any time I see an log entry, but it only runs the first time it runs.

You can read log messages on your stdin, so instead of fetching a single line and exiting keep reading your input like this:

#!/usr/bin/perl
while (<>) {
        # send to pager
}

Is it possible to create sockets with syslog-ng similar to how you can do so with syslogd? The reason for this being that I'm running some applications chrooted, and need to open a /dev/log socket that is in that chroot-jail.

Of course you can. Just add a source:

source local { unix-stream("/dev/log"); internal(); };
source jail1 { unix-stream("/jail/dns/dev/log"); };
source jail2 { unix-stream("/jail/www/dev/log"); };

You can do this by using a single source:

source local { 
	unix-stream("/dev/log"); 
	internal(); 
	unix-stream("/jail/dns/dev/log"); 
};

Note that postfix appears to need a log socket in it's chroot jail, or it's logging will stop when you reload syslog-ng:

source postfix { unix-stream("/var/spool/postfix/dev/log" keep-alive(yes)); };

Directories with names like "Error", "SCSI", "", are showing up in the directory that holds the syslogs for the different hosts that we monitor.

Has anyone seen these random directories? Any suggestions on how to deal with them?

From the description it's apparent that logs are being stored in your filesystem with a macro similar to this:

destination std { file( "/var/log/$HOST/$FACILITY"); };

...so that you have directories created with the value of $HOST. This is bad. The host entry in syslog messages is often set to a bad value, especially with messages originating from the UNIX kernel, like SCSI error messages.

The best fix for this is to *never* create files or directories based on unfiltered input from the network (You'd do well to remember that in general). Set the option keep_hostname to (no), and syslog-ng will always replace the hostname field (possibly using DNS, so make sure your local caching DNS is setup correctly).

The author of this FAQ didn't have garbled $HOST macros go away until he modified all clients to run syslog-ng and transfer over TCP (and of course he uses DNS to convert all the hostnames to FQDN, he doesn't trust what the clients send). Both steps might not be required, syslog-ng over UDP might be sufficient, though there's little reason *not* to use TCP. Modern TCP/IP stacks are tuned to handle lots of web connections, so even a central host for hundreds of machines can use TCP without issues from the use of TCP alone. There will be I/O problems with trying to commit that many hosts' logs to disk much sooner under most circumstances.

DNS: I want to use fully qualified domain names in my logs, I have many different hosts named ns1, or www, and don't want the logs mixed up. Also, I have a question concerning the use_dns option. Is this a global option only, or is there some way to change this per source or destination?

First of all, make sure that you have a reliable DNS cache nearby. Nearby may be on the same host or network segment, or even at your upstream provider. Just make sure that you can reach it reliably. syslog-ng blocks on DNS lookups, so you can stop all logging if you start getting DNS timeouts.

Internal syslog-ng DNS caching has recently been worked on, and reportedly works well. This appears to be a good alternative to running a local caching DNS server ('dns_cache(yes);').

Currently the use_dns option is global and cannot be specified on a per-source basis.

See also: the section on hostname options directly below.

What is with all the "hostname" options?

When syslog-ng receives a message it tries to rewrite the hostname it contains unless keep_hostname is true. If the hostname is to be rewritten (e.g. keep_hostname is false), it checks whether chain_hostnames (or long_hostname which is an alias for chain_hostnames) is true. If chain_hostnames is true, the name of the host syslog-ng received the message from is appended to the hostname, otherwise it's replaced.

So if you have a message which has hostname "server", and which resolves to "server2", the following happens:

keep_hostname(yes) keep_hostname(no)

chain_hostname(yes) server server/server2

chain_hostname(no) server server2

I hope this makes things clear.

I archive my logs like this:

file("/var/log/HOSTS/$HOST/$YEAR/$MONTH/$DAY/$FACILITY_$HOST_$YEAR_$MONTH_$DAY" 
 owner(root) group(root) perm(0600) dir_perm(0700)  create_dirs(yes) );

...and over time my archive takes up lots of space. When will syslog-ng implement compression so that I can compress them automatically?

You don't need syslog-ng to compress them, install bzip2 and run a nightly cronjob like this:

 /usr/bin/find /var/log/HOSTS ! -name "*bz2" -type f ! -path "*`/bin/date +%Y/%m/%d`*" 
  -exec /usr/bin/bzip2 {} \;

This might need some explaining: find all non-bzipped files that aren't from today (syslog-ng might still write to them) and compress them with bzip2. This was tested on Debian GNU/Linux with GNU find version 4.1.7.

My syslog-ng.conf has

destination std { file( "/var/log/$HOST/$YEAR$MONTH/$FACILITY" create_dirs(yes)); };

What happens is if /var/log/$HOST/$YEAR$MONTH does not exist, syslog-ng makes that dir, but it's owner is root:other. I think because daemon's effective user ID is root. I want to change dir's owner. Is this possible?

Yes, you can do this using the owner(), group() and perm() options.
For example:

destination d_file { file("/var/log/$HOST/log" create_dirs(yes) 
 owner("log") group("log") perm(0600)); };

a) I have snmptrapd running so that any trap that it receives should be logged to local1. I have a filter taking anything received via local1 to a specific file:

filter snmptrap {facility(local1);};
destination snmptraps { file("/var/log/snmptraps";};

Unfortunately a number of traps are getting cut off at a specific point, and the remainder of the trap ends up in syslog and not in the proper destination.

syslog defaults to 1024 byte long messages, but this value is tunable in syslog-ng 1.5 where you can set it to a higher value.

options { log_msg_size(8192); };

b) Andreas Schulze points out: "We are running snmptrapd and syslog-ng 1.5.x under Solaris 8 and observed exactly the same problem.

This doesn't fix the problem for us. It seems that there is a problem in the syslog(3) implementation at least on Solaris. Maybe on Linux, too. This is important, because snmptrapd feeds its messages via syslog(3) to syslog-ng. So syslog-ng never gets the correct message, because its truncated in libc before syslog-ng receive it.

Our solution was, to patch snmptrapd to log its messages via a local Unix DGRAM socket and use this socket as message source for syslog-ng. This fix the problem and works pretty fine and very stable for more than one year in our environment.

Basically you're screwed on Solaris, but hopefully other implementations aren't as brain-dead.

It seems I have syslog clients with unsynchronized clocks and I have files that were created with the time macros, and their date is wrong. What I want is the files to be created with the time/date they are received.

It's an option. use_time_recvd() boolean.

options { use_time_recvd(true); };

What conf settings can I use for my syslog-ng.conf file so that messages are written to disk the instant they are received?

Add sync(0) to your config file.

options { sync(0); };

I want to run syslog-ng chrooted and as a non-root user.

Use syslog-ng 1.5.x's own -C and -u flags when starting it.

I want to rewrite my logs into a specific format.

Syslog-ng 1.5.3 added support for user definable log file formats. Here's how to use it:
```
destination my_file {
        file("/var/log/messages" template("$ISODATE $TAG $FULLHOST $MESSAGE"));
};
```
For an explanation of available macros read
this post.
I have been experiencing a problem with a syslog-ng (1.4.11) server seemingly only allowing 10 connections to a tcp() source. A quick tour of the code found the offending code at line 341 in afinet.c:
```
self->super.max_connections = 10;
```
It's limited because otherwise it'd be easy to mount a DoS attack against the logger host. You can change this limit run-time without changing the source with the max-connection option to tcp():
```
source src { tcp(max-connections(100)); };
```

Can output from programs started by syslog-ng be captured and logged by syslog-ng?

It's on the todo list. As long as it is not implemented, you might try to redirect the program's output to a named pipe like this:

destination d_swatch { program("swatch 2> /var/run/swatch.err"); }; 
 source s_swatch { pipe("/var/run/swatch.err"); };

Getting fancy

The whole point of setting up a loghost was to report on the logs. How can syslog-ng help?

Syslog-ng is not about reporting on messages. Syslog-ng is a "sink" for syslog messages. Once syslog-ng commits them to some sort of storage (filesystem, database, line printer, etc), it is up to you to scan them.

That being said, Nate Campi's "newlogcheck" page shows how he filters all messages through swatch in real time, and also uses syslog-ng's "match" option to alert on certain message strings.
The fact that this stuff works is a result of syslog-ng's flexibility, not because it was written to be all things to all people. Syslog-ng is a quality daemon because it tries to stay good at one thing and one thing only: being a syslog server.
Look at the links part of this page for the link to Nate's newlogcheck page, and for the link to the Log Analysis page. You'll find plenty of information on log parsing there.

I want to input my logs into a database in real time - why can't I do it?

You can, there's just nothing built into syslog-ng which knows about databases. You simply need to take advantage of syslog-ng's ability to pipe to a program. Follow the links in the links part of this page to read up on how other have done it.

How much log volume can syslog-ng handle?

A search of the mailing list archives shows sites that exceed five gigabytes per day of log data. The limits to throughput in syslog-ng are similar to that of most other network applications, where network and disk I/O are the limiting factors.

How can I filter messages so that only not-already-routed lines will be routed/filtered again?

This is a catchall statement, and should catch all messages which were not accepted any of the previous statements.

log { source(src); filter(DEFAULT); destination(dst); };

I'm using syslog-ng over redirected ports inside an SSH channel and whenever I HUP syslog-ng, the SSH channel closes

syslog-ng closes TCP connections when a SIGHUP is received, but you can change this behaviour with the keep-alive option.

destination remote_tcp { tcp("loghost" port(1514) keep-alive(yes)); };

source tcp_listen { tcp(ip("10.0.0.1") port(5140) keep-alive(yes)); };

I've successfully set up syslog-ng to tunnel through stunnel. I'm having one problem though, all messages come through with a hostname of "localhost", presumably since stunnel is coming from localhost on the syslog server....

Keep the hostname as sent by the remote syslog daemon:

options { keep_hostname(yes); };